b'Audit of the Controls over Inappropriate Personal Use of the\n                      Internet at NARA\n\n\n                OIG Audit Report No. 11-10\n\n\n                      March 8, 2011\n\x0cTable of Contents\n\n\nExecutive Summary ........................................................................................ 3\n\nBackground ..................................................................................................... 4\n\nObjectives, Scope, Methodology .................................................................... 5\n\nAudit Results................................................................................................... 6\n\nAppendix A \xe2\x80\x93 Example of                                              Accessed with no Web Filter\nRestriction ..................................................................................................... 16\n\nAppendix B \xe2\x80\x93 Example of Web Filter Bypass                                               ........................ 17\n\nAppendix C \xe2\x80\x93 Example of a Site Accessed by\n                          ........................................................................ 18\n\nAppendix D \xe2\x80\x93 Example of Inappropriate Sites Accessible through Message\nBoards and Forums ....................................................................................... 19\n\nAppendix E \xe2\x80\x93 Example of Discrepancies in Sites Blocked across NARA\'s\nNetwork......................................................................................................... 20\n\nAppendix F \xe2\x80\x93 Management\'s Response to the Report .................................. 21\n\nAppendix G \xe2\x80\x93 Report Distribution List ........................................................ 22\n\x0c                                                                 OIG Audit Report No. 11-10\n\n\nExecutive Summary\n\nThe National Archives and Records Administration (NARA) Office of Inspector General\n(OIG) completed an audit of NARA\xe2\x80\x99s controls over the inappropriate personal use of the\ninternet by NARA staff. NARA has established policy over the staff\xe2\x80\x99s usage of the internet,\nwhich the Office of Information Services (NH) and the Office of Administration (NA), with\nthe support of General Council (NGC), monitor and enforce. During this audit, we assessed\nthe effectiveness of the controls and procedures NARA has in place to fully implement its\npolicy.\n\nIn May 2010, NARA issued revised Directive 802, Appropriate Use of NARA Office and\nInformation Technology (IT) Equipment and Resources, authorizing staff to use NARA office\nand IT equipment and resources when performing limited personal use during non-work\ntime, provided the use does not interfere with official business or involve inappropriate use.\nWithin the scope of this audit, the Directive defines inappropriate personal use as that in\nwhich a NARA employee engages in activities that are illegal or offensive. This includes\naccessing materials that are sexually explicit or involve gambling, weapons, or terrorist\nactivities. In the past, NARA relied almost exclusively on its automated web filtering\napplication to ensure NARA staff were not accessing inappropriate material. However, due\nto the failures of similar controls at other agencies recently coming to the attention of\nCongress and the media, NARA supplemented its web filtering application with monthly\nreporting procedures.\n\nOur review found that although NARA has invested in tools and implemented procedures to\nmonitor and prevent inappropriate internet usage by its staff, controls remain inadequate and\nNARA employees continue to access prohibited material. NARA staff have been able to\nbypass the web filter and go undetected for the past four years, as this is when NARA began\nrelying almost solely on its web filtering application to automatically block inappropriate use.\nNARA\xe2\x80\x99s web filtering application is generally successful in blocking the majority of NARA\nstaff that carelessly or inadvertently attempt to access inappropriate material. However, as\nreported at other agencies, the real risk comes from the staff who regularly bypass the\ninappropriate use controls, which was not found to be difficult at NARA. NARA\xe2\x80\x99s web\nfiltering application maintains a record of all NARA staff internet usage\xe2\x80\x94which is\ninvaluable in detecting employees who bypass the controls\xe2\x80\x94however, even after NARA\nrecently implemented its monthly reporting process, the limited amount of information\nreviewed and analysis conducted by NARA allowed excessive personal and inappropriate use\nto go undetected or unaddressed. Consequently, NARA is at risk for decreased public trust,\nreduced employee productivity, legal liability, and degradation of network performance.\n\nOur audit identified several improvements to be made to NARA\xe2\x80\x99s controls in preventing its\nstaff from inappropriate use of computer resources. We made five recommendations to more\nthoroughly ensure that NARA Directive 802 is enforced and risks are minimized.\n\n\n\n\n                                         Page 3\n                      National Archives and Records Administration\n\x0c                                                                OIG Audit Report No. 11-10\n\n\nBackground\n\n\nNARA continues to embrace the ever increasing efficiencies of the internet in performing its\nmission. Examples are contained throughout the FY 2010 Performance and Accountability\nReport, which includes NARA\xe2\x80\x99s ongoing efforts to utilize social media and internet\nnetworking tools as a way to communicate and deliver timely information to the public.\nFurthermore, NARA\xe2\x80\x94like nearly all modern organizations\xe2\x80\x94depends on the internet at the\nmost basic level for its employees to perform research, stay informed with current events\naffecting their job responsibilities, and communicate with fellow colleagues and NARA\nbusiness partners.\n\nIn addition to internet usage by staff in support of NARA\xe2\x80\x99s mission, NARA also recognizes\nthe benefits of allowing staff to access the internet for limited personal use while at work.\nNARA Directive 802, Appropriate Use of NARA Office and Information Technology (IT)\nEquipment and Resources, specifically allows this in an effort to create a more supportive\nwork environment. Benefits of such a policy generally go undisputed. However, left\nunchecked, some employees will inevitably abuse such privileges putting the agency at risk.\n\nAn example of employee abuse of the internet within another federal agency was reported in\nthe media this past year. Ongoing investigations at the Securities and Exchange Commission\n(SEC) discovered a number of SEC employees were attempting to access inappropriate\nmaterial on the internet while at work. One of the SEC investigations was conducted at the\nrequest of a U.S. Senator. The investigations discovered the SEC\xe2\x80\x99s web filter blocked many\nof the attempts made by its staff, however, employees were able to bypass the filter and gain\naccess to a significant number of inappropriate sites.\n\nShortly after the most recent SEC investigation was reported, NARA began developing a\nprocedure to supplement the web filter control that had been in place since 2007. This\nprocedure involved the Office of Information Services (NH) using the web filter application\nto generate reports listing NARA staff with multiple blocked website access attempts in the\ncategories defined as inappropriate by NARA Directive 802. The initial report was run for a\none week period at the end of April 2010, at which time it was provided to the Office of\nAdministration (NA) and General Council (NGC). The report indicated ongoing abuse had\nbeen taking place, for example, one NARA employee identified in the report accumulated\n40,000 blocked attempts during the initial one week reporting period. Beginning in July\n2010, NA and NGC began receiving this report on a monthly basis.\n\nInappropriate internet usage by NARA staff is not a new occurrence at the Agency. The OIG\npreviously reported on this matter in April 2003. Following the 2003 review, NARA\ndeveloped corrective actions that were initially put in place to monitor and deter\ninappropriate internet usage in accordance with NARA Directive 802. However, as the\ncontrols in place continue to evolve, NARA must ensure the associated risks remain\nmitigated.\n\n\n\n                                         Page 4\n                      National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 11-10\n\n\nObjectives, Scope, Methodology\n\nThe overall objective of this audit was to determine whether NARA\xe2\x80\x99s controls were\nadequate and effective in preventing and deterring NARA staff from using their\ngovernment-assigned workstations to access inappropriate internet material, as defined by\nNARA Directive 802, Appropriate Use of NARA Office and Information Technology (IT)\nEquipment and Resources. Our review focused on whether NARA employees were in\ncompliance with directives restricting access to inappropriate web sites, and whether\ncontrols and administrative processes in place adequately prevent and deter NARA staff\nfrom accessing these sites.\n\nTo accomplish our objective, we interviewed key NARA personnel and contractor staff\nfrom the Office of Information Services and the Office of Administration and examined\nNARA policies governing the appropriate use of the internet. We gained an\nunderstanding of NARA\xe2\x80\x99s internet monitoring process, web filtering application, and\nadministrative and disciplinary procedures. We obtained the monthly agency-wide\nreports listing NARA staff with multiple blocked website access attempts and from these\nreports, judgmentally selected samples of specific NARA staff with high numbers of\nblocked attempts. For the NARA staff sampled, we requested detailed internet usage\nlogs, which were generated using NARA\xe2\x80\x99s web filtering application. The monthly\nreports and detailed user logs were analyzed extensively by the auditors to determine the\nmethods and degree of inappropriate usage and the effectiveness of the procedures in\nplace to prevent such activity. The usage logs only contained data from when the users\nwere connected to NARA\xe2\x80\x99s network, therefore, usage data while working from home\nwith a personal internet connection was not included in our review.\n\nOur audit work was performed at Archives II in College Park, MD between September\n2010 and January 2011. We conducted this audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\n                                        Page 5\n                     National Archives and Records Administration\n\x0c                                                                  OIG Audit Report No. 11-10\n\n\nAudit Results\n\nControls to Prevent NARA Staff from Accessing Inappropriate\nMaterial are not Fully Effective\nAlthough NARA has invested in tools and implemented procedures to monitor and prevent\ninappropriate internet usage by its staff, NARA employees continue to access prohibited\nmaterial. This condition exists because NARA is over confident in the effectiveness of its\nweb filtering application, does not fully utilize the features of this application, and has not\nestablished adequate procedures to consistently enforce its policy on inappropriate internet\nusage. As a result, NARA is at risk for decreased public trust, reduced employee\nproductivity, legal liability, and degradation of network performance.\n\nIn May 2010, NARA issued revised Directive 802, Appropriate Use of NARA Office and\nInformation Technology (IT) Equipment and Resources, maintaining authorization for NARA\nstaff to use NARA office and IT equipment and resources when performing limited personal\nuse during non-work time so long as the use does not interfere with official business or\ninvolve inappropriate use. The Directive provides examples of inappropriate use, which\n(within the scope of this audit) include:\n\n    \xe2\x80\xa2   Using NARA office equipment to engage in activities that are illegal or offensive to\n        fellow staff or the public,\n    \xe2\x80\xa2   Creating, downloading, viewing, storing, copying, or transmitting sexually explicit or\n        sexually oriented materials,\n    \xe2\x80\xa2   Engaging in any activity prohibited by law or regulation, including illegal gambling,\n        weapons, or terrorist activities,\n    \xe2\x80\xa2   Any use of NARA office equipment that could generate more than minimal\n        additional expense to NARA, and\n    \xe2\x80\xa2   Downloading games and/or playing them during official business hours.\n\nThe Directive stipulates NARA has the right to block access to sites that may contain\ninappropriate content. Further, the Directive states NARANET system managers use\nmonitoring tools to detect improper use of the system and IT equipment. Lastly, the\nDirective identifies the potential consequences of inappropriate use, stating violators may be\nsubject to disciplinary action or prosecution.\n\nDuring the audited time period, consisting of user data from June 2010 through October 2010,\nroughly 39% of NARA workstation users made multiple attempts at accessing one or more\ncategories of inappropriate sites monitored by NH, NA, and NGC. These categories include:\n\n    \xe2\x80\xa2   Adult Material: Adult Content,\n    \xe2\x80\xa2   Adult Material: Lingerie and Swimsuit,\n    \xe2\x80\xa2   Adult Material: Nudity,\n\n                                          Page 6\n                       National Archives and Records Administration\n\x0c                                                                OIG Audit Report No. 11-10\n\n   \xe2\x80\xa2   Adult Material: Sex,\n   \xe2\x80\xa2   Gambling,\n   \xe2\x80\xa2   Racism and Hate, and\n   \xe2\x80\xa2   Violence.\n\nAlthough the numbers are alarming, attempts at accessing sites falling within these categories\ncan at times be made unintentionally by NARA staff during normal internet usage. However,\nthe information above is calculated using the threshold\xe2\x80\x94five or more attempts per category,\nper month\xe2\x80\x94established by NH, NA, and NGC in their monthly reporting and monitoring\npractices. The majority of attempted inappropriate internet site visits made by NARA staff\nfell into the \xe2\x80\x9cAdult Material\xe2\x80\x9d categories, the proportions are presented in the chart below.\n\n\n              Inappropriate Categories Attempted by\n                           NARA Staff\n                        Racism and Hate              Violence\n                              1%                        1%\n\n\n                                  Gambling\n                                    20%\n\n\n                                              Adult Material\n                                                   78%\n\n\n\n\nOf the NARA staff who attempted to access inappropriate sites, on average, 90% made fewer\nthan 50 attempts in each of the months analyzed. The remaining 10% of NARA staff listed\nin the monthly reports individually attempted to access inappropriate sites from 50 to as high\nas 13,816 times during the months analyzed. In certain situations, high attempts at accessing\ninappropriate material can be a result of users inadvertently loading malware onto their\nNARA workstations. However, the analysis performed on the individual user logs of the\nstaff sampled for this review indicated the users intentionally attempted to access\ninappropriate material on multiple occasions.\n\nOver Confident in the Effectiveness of Web Filtering Application\n\nNH personnel expressed in multiple meetings and correspondence that the current web filter\nin use, Websense, is more advanced and \xe2\x80\x9crobust\xe2\x80\x9d than the application NARA used in the\npast. Therefore, once Websense was implemented in the 2007 timeframe, NH discontinued\ngenerating monthly reports detailing inappropriate usage. NH personnel questioned the value\nof a report showing blocked attempts, as the users theoretically never gained access to the\ninappropriate sites. However, following more recent discussions with the Archivist regarding\n                                           Page 7\n                      National Archives and Records Administration\n\x0c                                                                OIG Audit Report No. 11-10\n\nthe inappropriate usage at the Securities and Exchange Commission (SEC), NH developed a\nnew monthly inappropriate usage reporting process, which they fully implemented in the July\n2010 timeframe.\n\nPrior to the implementation of the new monthly reporting process, NARA relied almost\nexclusively on Websense to prevent NARA staff from accessing inappropriate websites.\nOnce the new procedure went into effect, NA and NGC began receiving a list of users who\nhad five or more blocked attempts in one or more categories during the month. The reports\nlisted numerous NARA employees who consistently made hundreds and even thousands of\nattempts to access inappropriate material during each month. Although NA prepared to take\ndisciplinary action against one NARA employee for extensive inappropriate use, the\nemployee left the agency before such actions were executed. Apart from that incident, no\nother official disciplinary action related to inappropriate usage has taken place since NH\ninitiated the reporting process.\n\nDuring our review, we selected a sample of users from the monthly inappropriate usage\nreports NH provided NA and NGC. For the users sampled, we requested the full user\ninternet activity logs (which Websense maintains for every NARA user/workstation for\nroughly three months). Based on previous correspondence with NH personnel, we expected\nlittle evidence of users bypassing the \xe2\x80\x9crobust\xe2\x80\x9d web filter. However, an initial review of the\ndetailed user activity logs indicated this was not the case. After analyzing the logs more\nthoroughly, and testing Websense\xe2\x80\x99s capabilities, we identified the following web filter\nweaknesses:\n\n   \xe2\x80\xa2   NARA staff are able to easily access sexually explicit material                A few\n       examples of the hundreds of sites visited by NARA staff with no web filter\n       restrictions include \xe2\x80\x9c                                  \xe2\x80\x9d\n       \xe2\x80\x9c                                \xe2\x80\x9d and \xe2\x80\x9c                           \xe2\x80\x9d These sites and\n       others like them contain page after page of sexually graphic images, yet they are\n       categorized by Websense as\n       which is not a blocked category. One NARA staff member viewed sexually explicit\n                  nearly 4.5 hours in one day, and accessed to some degree 1,300 explicit\n               n 28 days, with no web filtering restrictions. (See Appendix A for further\n       detail on how NARA staff bypass Websense using this method).\n\n   \xe2\x80\xa2   Users are able to access                 designed to bypass Websense and other web\n       filters. By accessing                 the user simply\n\n                         . Websense only recognizes                  , not the inappropriate\n       site visited                  Websense tracks the user going to                   but\n       this information is not included in the monthly reports to NA and NGC. By not\n       following-up on users visiting sites such as \xe2\x80\x9c                 \xe2\x80\x9d\xe2\x80\x9c                   ,\xe2\x80\x9d\n       and \xe2\x80\x9c                    \xe2\x80\x9d NARA is turning a blind eye to users easily bypassing\n       Websense. One user alone accessed                      sites 513,537 times over a three\n\n\n                                         Page 8\n                      National Archives and Records Administration\n\x0c                                                                   OIG Audit Report No. 11-10\n\n       month period. (See Appendix B for further detail on how NARA staff bypass\n       Websense using this method).\n\n   \xe2\x80\xa2   Users                            to access inappropriate sites, which likely resulted in\n       the users gaining access. We tested Websense\xe2\x80\x99s blocking ability on a number of the\n       inappropriate sites that were attempted by NARA staff. For the vast majority of sites\n       tested,                                                     would result in successful\n       access (usually only requiring                                     ). Furthermore, even if\n                        of the inappropriate site was blocked by Websense,\n                                       containing inappropriate material were often not filtered\n       and easily accessible. On a monthly basis, one user made hundreds\n                                   a website that identifies itself as the \xe2\x80\x9cworld\xe2\x80\x99s largest sports\n       betting community.\xe2\x80\x9d Another user                                           a website that\n       calls itself the \xe2\x80\x9chome of porn,\xe2\x80\x9d which contains sexually explicit images and videos.\n       Based on our testing, it is highly likely these users gained access\n                  (See Appendix C for further detail on how NARA staff bypass Websense\n       using this method).\n\n   \xe2\x80\xa2   Users are able to easily access forums, auction sites, and dating sites for multiple\n       hours per day. Although there may be legitimate reasons for accessing craigslist\n       discussion forums, one NARA staff\xe2\x80\x99s detailed internet activity log showed, for 10\n       days analyzed, evidence of an average of 2 hours a day devoted to non-work related\n       auctions and forums, some involving dating and sexually explicit topics. The same\n       user was able to frequently access                        which identifies itself as \xe2\x80\x9ca list\n       of official (listed) and unofficial (hidden/secret/unlisted/ unsupported/homesteaded)\n       craigslist forums.\xe2\x80\x9d This directory contains a number of graphic adult forums, which\n       include images and discussions of an inappropriate nature, which are rarely blocked\n       by Websense. (See Appendix D for further detail on how NARA staff bypass\n       Websense using this method).\n\n   \xe2\x80\xa2   Users at\n       (and possibly other NARA field locations) are not blocked when attempting access to\n       inappropriate websites in uniformity with Archives II. While performing a separate\n       review at       we observed broad access to inappropriate sites while using NARA\xe2\x80\x99s\n       network at this location. In one example, a hack site \xe2\x80\x9c            \xe2\x80\x9d was accessed\n       with no restriction at     however, the same website was appropriately blocked at\n       Archives II. (See Appendix E for further detail).\n\nAside from the weaknesses identified above, Websense has intermittent failures that allow\nNARA staff to access inappropriate sites without restriction. We observed one of these\nintermittent failures while testing Websense\xe2\x80\x99s capabilities, which lasted nearly 6 hours. NH\nindicated that they typically do not become aware of intermittent Websense failures except in\nthe rare event in which a NARA user reports the failure. NH explained that they have a\nknown issue with the hardware supporting Websense. If the application becomes saturated\n                                            Page 9\n                       National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 11-10\n\nwith internet traffic, it may intermittently let inappropriate access requests go through.\nNARA is in the process of upgrading Websense to a newer version due in part to the current\nversion not always being able to handle NARA staff\xe2\x80\x99s internet traffic.\n\nDuring the entrance conference of this audit, after discussing the SEC\xe2\x80\x99s findings of\ninappropriate use within their agency, an NH official mentioned that the SEC\xe2\x80\x99s situation was\nlikely a result of not having anyone monitor or look at the records. In a follow-on meeting,\nanother NH official stated that the SEC did not have a web filtering product \xe2\x80\x9cas good as\nWebsense.\xe2\x80\x9d However, until recently, NARA had not been looking at its own staff\xe2\x80\x99s\ninappropriate usage records, but instead relied almost exclusively on its web filtering\napplication to prevent access to prohibited sites. As confident as NARA may be in its\nperceived \xe2\x80\x9crobust\xe2\x80\x9d web filtering application, NARA staff are easily able to bypass Websense.\nThis was clearly evident by the sample of user logs analyzed during our review. Once\ninformed of the methods NARA staff used to bypass the web filter, NH agreed that the sites\naccessed should have been blocked by NARA\xe2\x80\x99s web filter and that the current control\nprocedures are not identifying all inappropriate user activity. Further, NH agreed the\ninformation pertaining to the bypass methods identified in this report should be used in\ndeveloping revised control reporting methods in conjunction with NA and NGC.\n\nUnderutilization of Available Web Filtering Application Features\n\nNARA is in the process of upgrading to a newer version of Websense. The most recent one\nyear renewal of Websense licenses and support amounted to just over $158,500 (this figure\ndoes not include the associated hardware upgrades). However, even with the older version,\nNARA was not using all the Websense features available to deter and monitor NARA staff\xe2\x80\x99s\ninappropriate use of the internet. The following Websense functions are underutilized by\nNARA:\n\n   \xe2\x80\xa2   Reporting. Websense allows the administrator to generate standard and customizable\n       reports on all user information (going back as far as approximately three months).\n       See Figure 1 below for a screenshot of Websense\xe2\x80\x99s standard report menu. Examples\n       of the standard Websense reports include: \xe2\x80\x9cwhich users were blocked most,\xe2\x80\x9d \xe2\x80\x9ctop\n       users in adult categories,\xe2\x80\x9d and \xe2\x80\x9cusers that spent the most time on [non-] productivity\n       sites.\xe2\x80\x9d In addition to the many useful standard reports, NH can also generate\n       customized reports pulling whatever data is needed, either by groups or individuals,\n       real-time or historical timeframes, for any or all categories. Once NH establishes the\n       customized report criteria, as with the standard reports, one click of the mouse begins\n       the automatic process of pulling the data. Currently, NA and NGC only receive a\n       summary report of the blocked attempts for the seven categories defined earlier. User\n       detail reports could also be generated for a specific number of top blocked NARA\n       staff in each category, which would provide NA and NGC more information in\n       deciding whether to pursue disciplinary actions. In addition, NH could generate web\n       proxy reports to determine the extent of NARA staff bypassing the web filter\n\n\n\n\n                                         Page 10\n                      National Archives and Records Administration\n\x0c                                                           OIG Audit Report No. 11-10\n\n\n\n\n                   Figure 1. Screenshot of Websense Standard Reports\n\n\xe2\x80\xa2   Real-Time Alerts. Websense allows the administrator to set up alerts based on a\n    multitude of factors. For example, an e-mail alert could be sent to NH whenever a\n    NARA employee surpasses 100 blocked \xe2\x80\x9cAdult Material: Sex\xe2\x80\x9d sites during a 24 hour\n    period. NH could provide this timely information to NA for further action.\n    Currently, NH only uses this form of Websense alerts in the context of network\n    performance; however, this function would also be useful in monitoring inappropriate\n    internet usage and enforcing NARA Directive 802.\n\n\xe2\x80\xa2   Keyword Blocks. Websense allows the administrator to establish filtering restrictions\n    that block sites whose web addresses (URLs) contain certain words. When keyword\n    blocking is activated for a category, Websense software blocks any site whose URL\n    contains a keyword assigned to the category. For example, NH could review the user\n    activity of NARA staff that access inappropriate         (as discussed previously)\n    and select keywords to block that are obviously inappropriate.\n\n\xe2\x80\xa2   Limit by Quota. Websense allows the administrator to establish user, group,\n    workstation, or network time quotas for defined categories. During this review, while\n    observing the Websense application in use by an NH contractor, a real-time report\n    showed that Facebook was the most active website at NARA. Based on that\n                                     Page 11\n                  National Archives and Records Administration\n\x0c                                                                   OIG Audit Report No. 11-10\n\n       information, an example of the quota function would be for the administrator to set an\n       arbitrary 2 hour maximum time quota for the category \xe2\x80\x9cSociety and Lifestyles [Social\n       Networking],\xe2\x80\x9d which would prevent defined groups of NARA staff from accessing\n       Facebook for more than 2 hours each day.\n\n   \xe2\x80\xa2   Time Period Policy. Similar to the time quota feature, Websense allows the\n       administrator to define policies for NARA staff\xe2\x80\x99s access to specific categories at\n       certain times of the workday. For example, NH could set Websense to allow access\n       to sites that tend to be personal (i.e., internet auctions, real estate, dating, etc.) only\n       during the hours surrounding lunchtime.\n\nNARA has already invested in the Websense application and these features are available for\nNARA\xe2\x80\x99s use, however, NH has not implemented all the Websense tools available to\neffectively enforce NARA Directive 802. Consequently, NARA underutilizes features that\nassist in blocking access to inappropriate websites and enhance NARANET system\nmanagers\xe2\x80\x99 capabilities in meeting their responsibilities in monitoring and detecting improper\nuse of NARA\xe2\x80\x99s system and IT equipment. NH indicated it is not their responsibility to\ndetermine what Websense features are put to use, however, NH agreed NARA management\nshould be informed of these features in order to decide whether they should be implemented.\n\nLack of Enforcement of NARA 802\n\nThe effectiveness of NARA Directive 802\xe2\x80\x94like all policy\xe2\x80\x94is in large part dependent upon\nthe degree to which it is enforced. NARA 802 states NARANET system managers use\nmonitoring tools to detect improper use of the system and IT equipment. However, in\nmeetings with NH and NA officials, it became apparent the responsibilities of monitoring are\nnot well defined. NH officials indicated NA and individual supervisors are responsible for\nmonitoring inappropriate usage by NARA\xe2\x80\x99s staff. However, an NA official stated there is no\nmechanism for allowing supervisors to view their staff\xe2\x80\x99s internet activity. Furthermore, as\ndescribed earlier, prior to NH generating the monthly blocked reports for NA and NGC,\nNARA\xe2\x80\x99s web filter application was the only formal control in place.\n\nIn addition, the monthly reporting process continues to evolve, this is evidenced by the\nchanging format and differing amounts of information reported from month to month. Also,\nthe monthly reports are not consistently generated on a given date; some of the reports are\ngenerated weeks after the reporting period. The report currently lists NARA staff and their\nrespective blocked attempt totals for each of the seven categories. NH has also at times\nincluded a list of the URLs making up the total blocked attempts for each user in a separate\nspreadsheet. This additional data provides a greater level of detail, however, it only includes\nthe blocked attempts, it does not include the inappropriate sites accessed using\n                                  Furthermore, up until now, the prevailing mentality has been\nthat the sites on the blocked report were actually blocked, but our review discovered that in\nnearly all cases, if                                                            the user is\ngranted access.\n\nThe effectiveness of NARA 802 is further impacted as NA has not established formal\nprocedures for reviewing the monthly report generated by NH. An NA official indicated they\n                                         Page 12\n                      National Archives and Records Administration\n\x0c                                                                OIG Audit Report No. 11-10\n\nreview the list for egregious users, however no threshold has been established by NA to\ndefine what constitutes egregious inappropriate usage. Furthermore, NA focuses primarily\non only two of the inappropriate categories: \xe2\x80\x9cAdult Material: Nudity\xe2\x80\x9d and \xe2\x80\x9cAdult Material:\nSex.\xe2\x80\x9d Although NARA Directive 802 specifically prohibits gambling, it is not something\nNA has looked into even though past monthly reports have identified users who have\nconsistently attempted, and likely accessed, gambling sites.\n\nDuring the first five months of the new reporting procedure, NA had contacted one user\xe2\x80\x99s\nsupervisor in regards to inappropriate internet usage. However, during this timeframe there\nwere multiple NARA employees who consistently showed up on the list with hundreds of\nblocked attempts in various inappropriate categories. In some of the samples reviewed, the\nmonthly blocked attempt report is just the tip of the iceberg in terms of what inappropriate\nsites were actually accessed by NARA staff. Consequently, NA is only able to review\ninformation it is provided by NH. If NH does not fully embrace the monitoring tools\navailable, NA will not have the information needed to fully enforce the policy.\n\nPotential Impact of Not Fully Enforcing NARA Directive 802\n\nNARA\xe2\x80\x99s failure to fully enforce NARA Directive 802, as identified in this report, results in\nexposure to significant risks as outlined below:\n\n   \xe2\x80\xa2   Decreased Public Trust. As mentioned earlier, Congress and the media have taken\n       interest in the level of inappropriate internet usage by federal staff within the past\n       year. As NARA continues to strive to address challenges facing its core goals,\n       harmful distractions caused by inappropriate NARA staff internet usage must be\n       avoided. NARA\xe2\x80\x99s customers and stakeholders place enormous trust in NARA to\n       fulfill its mission, as demonstrated at other federal agencies, inappropriate internet\n       usage can negatively impact this trust and add doubt to the agency\xe2\x80\x99s ability to meet\n       its mission.\n\n   \xe2\x80\xa2   Reduced Employee Productivity. NARA Directive 802 authorizes NARA staff to use\n       the internet for personal reasons, provided it is during non-work time and does not\n       interfere with official business or involve inappropriate use. NARA\xe2\x80\x99s embrace of\n       social media and networking tools is evidenced by the popularity of these sites\n       accessed by NARA staff. However, if working on social networking tools does not\n       fall within the NARA employee\xe2\x80\x99s job function, hours spent on personal networking\n       can negatively impact efficiency and job performance. Similarly, any time spent\n       accessing inappropriate sites is time being taken away from NARA meeting its\n       mission and providing timely services to its customers.\n\n   \xe2\x80\xa2   Legal Liability. In accessing sexually explicit internet sites, NARA staff can\n       contribute to creating a hostile work environment. When certain employees\n       repeatedly access sexually explicit material in the workplace, others may be offended\n       or uncomfortable and ultimately bring an action against the agency. This could\n\n\n                                         Page 13\n                      National Archives and Records Administration\n\x0c                                                                 OIG Audit Report No. 11-10\n\n        potentially lead to costs associated with defending the case, along with any resulting\n        settlements or awards.\n\n    \xe2\x80\xa2   Degradation of Network Performance. Excessive non-business use of the internet\n        increases system exposure to viruses and malware and can cause degradation of\n        network performance. Of particular concern are large video and graphic files often\n        offered for download by sexually explicit sites. Network congestion can cost an\n        organization not only in terms of slowed network performance, but also in the need to\n        upgrade network resources.\n\nWithout the proper controls in place to ensure employee compliance with NARA\nDirective 802, NARA is at risk for continued employee abuse of the internet. NARA has\ntaken important steps toward implementing the necessary tools to monitor and restrict\ninappropriate employee internet usage, including establishing appropriate use policy,\ninstalling a web filtering application, and establishing a process to generate monthly\nblocked attempt reports. However, NARA has not developed adequate procedures and\ndevoted the resources necessary to fully enforce NARA Directive 802. NARA staff use a\nnumber of methods to bypass NARA\xe2\x80\x99s web filtering application, even though additional\ntools are readily available to NARA management to restrict inappropriate access.\nFurther, the recently implemented reporting process does not provide the full detail of the\ninappropriate use taking place, and therefore disciplinary actions are not regularly\npursued or enforced by NA.\n\nRecommendations\n\n1. We recommend NA, NH, and NGC work together to:\n\n   a. Develop an interdisciplinary team equipped to identify inappropriate use and address\n      violations of NARA Directive 802 with suitable administrative action.\n   b. Establish a threshold of blocked attempts by individual users warranting further\n      analysis for each NARA Directive 802 category.\n   c. Develop a monthly report format containing all the user activity for the NARA staff\n      that surpasses the established blocked attempt thresholds.\n   d. Define formal roles and responsibilities in monitoring and analyzing the reports\n      generated.\n   e. Establish formal criteria based on blocked attempts and successful access totals used\n      to determine if supervisor notification and administrative action is appropriate.\n\n2. We recommend NA provide notice to NARA staff that NA and NH are aware of web\nfilter bypass methods in use (i.e.,\netc.) and focus will be directed toward identifying violators and aggressively pursuing\ndisciplinary action, up to and including removal.\n\n3. We recommend NH work with the Websense contract staff on a regular basis to\nimplement all available web filter application features and tools that assist with monitoring\n\n\n                                         Page 14\n                      National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 11-10\n\nand enforcing staff internet usage in accordance with NARA Directive 802. These include,\nbut are not limited to:\n\n   a. Generating a customized report identifying NARA users frequenting\n                  websites and analyzing the user activity to determine the extent of\n      inappropriate usage.\n   b. Establishing keyword blocks based on inappropriate              accessed; these\n      keyword blocks should be used to limit                    accessible to NARA\n      employees.\n   c. Determining the feasibility of real-time alerts in relaying inappropriate NARA\n      staff internet usage to NA in order to provide the information in a timely manner.\n   d. Determining the feasibility of quota limits and time period features limiting the\n      amount of time NARA staff can access non-work related websites throughout the\n      workday.\n\n4. We recommend NH develop a formal schedule to test Websense for intermittent failures\nand develop procedures for ensuring the web filtering application is reliable.\n\n5. We recommend NH establish tests and procedures to ensure the Websense application at\nNARA field locations are uniformly configured and no systems are bypassing the web filter.\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n\n\n\n                                        Page 15\n                     National Archives and Records Administration\n\x0c                                                          OIG Audit Report No. 11-10\n\n\nAppendix A \xe2\x80\x93 Example of                                               Accessed\nwith no Web Filter Restriction\n\nNARA staff are easily able to access inappropriate material posted           As\nshown below in an example of a site visited by a NARA employee,         itself has a\nwarning page indicating the site may contain adult content. However, NARA currently\ndoes not provide restrictions         no matter what their content.          typically\ncontain page after page of sexually explicit images.\n\n\n\n\n                                       Page 16\n                    National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 11-10\n\n\nAppendix B \xe2\x80\x93 Example of Web Filter Bypass\n\n\nNARA staff made multiple attempts at accessing                      In the example below,\none NARA user accessed                        which lists a number of               that are\nnot blocked by web filter applications. Once selected, the\n                                                                                      The\nexample below shows a cropped portion of an adult site that is easily accessible via\n        Although                 may not be blocked by Websense, it still shows up on the\nuser\xe2\x80\x99s web log, therefore, a review of the log can identify users accessing       .\n\n\n\n\n                                         Page 17\n                      National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 11-10\n\n\nAppendix C \xe2\x80\x93 Example of a Site Accessed by\n\n\nA number of NARA staff                                                               which\nbased on our analysis typically resulted in the web filter application allowing access.\nBelow is a screen shot of an\nresulting in access to the page. \xe2\x80\x9c              \xe2\x80\x9d was frequented by one of the users\nsampled over 700 times during a three month period. The site contains sexually explicit\nvideos and images.\n\n\n\n\n                                        Page 18\n                     National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 11-10\n\n\nAppendix D \xe2\x80\x93 Example of Inappropriate Sites\nAccessible through Message Boards and Forums\n\nOne of the sampled NARA users visited a secret craigslist forum list \xe2\x80\x9c                   \xe2\x80\x9d\n72 times over a three month period, followed by thousands of forum visits. The\nWebsense web filter application categorized this site and the sites accessed through it as\n                                                                               both of\nwhich are not blocked by the Websense application. A portion of a screenshot of\n\xe2\x80\x9c                  \xe2\x80\x9d below gives an example of some of the numerous explicit forum\ntopics available through the site. These forums often contain attached images of\ninappropriate material which are not typically blocked by the Websense application (a\ncropped version is shown below).\n\n\n\n\n                                        Page 19\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 11-10\n\n\nAppendix E \xe2\x80\x93 Example of Discrepancies in Sites\nBlocked across NARA\xe2\x80\x99s Network\n\nNARA users at field locations are not uniformly restricted from inappropriate websites.\nThe example below shows the unrestricted access of the hack site                    during\na separate review at                                             . However, prior to the\nsite visit, the same website was appropriately blocked at Archives II. This, as well as\nother examples shows inconsistencies among web filtering at various NARA locations.\n\n\n\n\n                                        Page 20\n                     National Archives and Records Administration\n\x0c                                                                              OIG Audit Report No. 11-10\n\n\nAppendix F \xe2\x80\x93 Management\xe2\x80\x99s Response to the Report\n\n\n\n\n       NAT IONAL\n       ARCHIVES\n\n\n\n           Dale:              MlUth 7. 2QII\n           To:                Paul Brachfeld, Inspector Oenr:ntl\n           From:           David S. Feniero, Archivist ofthc United Stales\n           Subjccc:           Audit Memorandum 11\xc2\xb710, Audit of lnapproprilte Personal UK ofthc Internet at\n           NARA\n\n\n\n\n           Thank you for the opponunity 10 comment on this draft report. The report includes five\n           recommendations. We concur with all fi ve recommendations and have already begun womng to\n           contain !lOme of the problems noIcd in the draft report.\n           If you have questions about these comments. please contact Mary Drak at mary,drak@n!va,goy\n           or by phone at 301\xc2\xb7837\xc2\xb7 1668.\n\n\n\n           David S. Feniero\n           Archivist oflhe United StaleS\n\n\n\n\n      NATIONAL A.CHIVI~ ..J\n      lieu. os AOMIN\')I .AlION\n         \'11&1 "ourll! ROAD\n      COLUG, PARI:. MU 207<o\xc2\xb7tOCn\n           ..........1.0.".\n\n\n                                         Page 21\n                      National Archives and Records Administration\n\x0c                                                           OIG Audit Report No. 11-10\n\n\nAppendix G - Report Distribution List\n\nDavid S. Ferriero, Archivist of the United States (N)\nAdrienne C. Thomas, Deputy Archivist of the United States (ND)\nRick Judson, Acting Assistant Archivist for Administration (NA)\nCharles Piercy, Acting Assistant Archivist for Information Services (NH)\nGary M. Stern, General Counsel (NGC)\nSteven Heaps, IT Policy Branch Chief (NHPL)\nMary Drak, Policy and Planning Staff (NPOL)\n\n\n\n\n                                        Page 22\n                     National Archives and Records Administration\n\x0c'